Your SlideShare is downloading. ×
Audit Log Protection: Avoiding a False Sense of Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Audit Log Protection: Avoiding a False Sense of Security

2,710
views

Published on

Evolving digital evidence laws, the changing IT landscape and the reliance on audit log data has the is causing financial losses and a false sense of security for organisations

Evolving digital evidence laws, the changing IT landscape and the reliance on audit log data has the is causing financial losses and a false sense of security for organisations

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,710
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Audit Trail Protection: Avoiding a False Sense of Security Nadeem Bukhari CISSP, CISM VP of Product Strategy Kinamik Data Integrity S.L. Tel Mobile: +34 628 629 322 Tel Office: +34 931 835 814 Email: nbukhari@kinamik.com Website: http://www.kinamik.com
  • 2. - 2 - Data Integrity  Data integrity is data that has a complete or whole structure. All characteristics of the data including business rules, rules for how pieces of data relate, dates, definitions and lineage must be correct for data to be complete http://en.wikipedia.org/wiki/Data_inte grity  integrity - the property of safeguarding the accuracy and completeness of assets [ISO/IEC 13335-1:2004] Data QualityData Security
  • 3. - 3 - Audit Trails Evolution  Audit trail collection, preservation and reporting regulatory and compliance demands  e.g. PCI DSS, FISMA, FDA 21 CRF Part 11, EU DRD, SoX, SEC 14a, ISO27001,..  Audit logs are company records.  SIEM & Log Management Market  Worldwide revenue for SIEM was $663.3 million in 2008 and is expected to grow to $1.4 billion in 2013” IDC  Estimated growth of audit trails  average overall data volume growth rate reported is just over 30% per year. Aberdeen  Mobile market data growth exponential Credit for image: jscreationzs
  • 4. - 4 - Audit Trails Issues  Which audit trails to collect?  Over collection  Too Many Alerts  Evolving attack signatures  Inconsistent data formats  Developers need to know the audience i.e. security, compliance, LOB...  Differing retention requirements  Excessive storage costs  Liabilities
  • 5. - 5 - Audit Trails Security  Changing audit trails knowledge is in the mainstream  Security perimeter to the data element  NOT near real-time protection false sense of security  “system logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.” ISO27001
  • 6. - 6 - Audit Trails Preservation  Digital Evidence  American Express Travel Related Services Co. Inc. vs Vee Vinhee  Lorraine v. Markel American Insurance Company  California v Khaled  BS10008 – Evidential Weight and Legal Admissibility of Electronic Information  NIST SP 800-92 - Guide to Computer Security Log Management  “In cases where logs may be needed as evidence, organizations may wish to acquire copies of the original log files”
  • 7. - 7 - Audit Trails and the Cloud  High value target  The service provider admins have access?  You cannot control below the hypervisor  Service Provider Developers  Focus on Service first  Do not know the entire audience  Access to logs contain Multi-tenant information  Incident Response/ Forensics  Can you gather evidence?  Will the audit log data’s authenticity be provable?
  • 8. - 8 - The Depth of Secure Logging  M.Bellare and B.Yee – Forward integrity for secure audit logs (1997)  Bruce Schneier/ John Kelsey - Secure Audit Logs to Support Computer Forensics (1999)  J.Holt – Logcrypt: Forward security and public verification for secure audit logs (2006)  Rafael Accorsi – Safekeeping Digital Evidence with Secure Logging Protocols: State of the Art and Challenges (2009)  Transmission Phase - Origin authentication, message confidentiality, message integrity, message uniqueness, reliable delivery  Storage Phase - Entry accountability, entry integrity, entry confidentiality  Jeff Jonas (IBM Chief Scientist) / Markle Foundation - Implementing a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Trust, and Accountability (2006)  “Immutable audit logs (IALs) will be a critical component for the information sharing environment” #MAC DATA + Metadata #MAC= #MAC DATA + Metadata #MAC= #MAC DATA + Metadata #MAC= DATA + Metadata #MAC= …
  • 9. - 9 - Audit Trails Integrity – Things to consider  Batching audit trails (e.g. file)  windows of opportunity for undetectable manipulation  Single change = maximal loss  Near real-time protection  Makes undetectable tampering very difficult  Sequential (chronology) – Great for digital evidence  Key´s protection – What if they are compromised?  Overheads  Performance  Storage  Broken Crypto Algorithms – Tool need to be able to change
  • 10. - 10 - Audit Trails Availability  Retention period by audit trail needs to be definable  Tiered storage – Online only gets expensive  Degradation/ de-commissioned
  • 11. - 11 - Audit Trails Confidentiality Issues  Access Control  Vulnerable to privileged accounts  Segregation  Collusion  Encryption  Only for confidentiality
  • 12. - 12 - Non-Repudation  Not possible to - deny the truth or validity of something  “A service that provides proof of the integrity and origin of data”  “An authentication that with high assurance can be asserted to be genuine.”  Identity Assurance + Assured event  End to end trust/ Chain of custody  Ethics – Non-repudation is inevitable, use the technology to support privacy policy
  • 13. - 13 - Conclusion  Audit trail evolution brings greater reliance  Digit Evidence evolution brings doubt in current authenticity controls  Granular/ real time data Integrity protection brings data centricity Controls  Cloud computing environments thrive with data centric protection
  • 14. - 14 - Nadeem Bukhari CISSP, CISM VP of Product Strategy Kinamik Data Integrity S.L. Tel Mobile: +34 628 629 322 Tel Office: +34 931 835 814 Email: nbukhari@kinamik.com Website: http://www.kinamik.com

×